Efficient access to user-related data for determining usage of enterprise resource systems

ABSTRACT

An example embodiment may involve a method performed by a software application executable on a central enterprise resource planning (ERP) client of a plurality of ERP clients. The ERP clients may be contained within a managed network. Each ERP client may be associated with one or more computing devices of the managed network on which ERP software is executable. Each ERP client may include a database that stores user-related data for individual users of the managed network whom are authorized to access the ERP client. The method may involve communicating with other ERP clients of the plurality of ERP clients to retrieve the user-related data stored in databases of the other ERP clients, storing the user-related data from the other ERP clients, and transmitting the user-related data to a computing device of a computational instance contained in a remote network management platform associated with the managed network.

BACKGROUND

An enterprise may license software and install the licensed software on various computing devices in the enterprise's managed network. In order to comply with license rights associated with the licensed software, it can be desirable for the enterprise to keep track of where and how the licensed software is used in the managed network. However, tracking use and detecting mismanagement or misuse of licensed software can be difficult, particularly when a large number of users and devices in the managed network are using the licensed software and/or when the licensed software is licensed in accordance with a complex licensing model.

SUMMARY

An example of licensed software is software is enterprise resource planning (ERP) software, which can take the form of one software application or suite of software applications that are configured for use by an enterprise in collecting, storing, managing, and interpreting data related to a variety of enterprise operations, such as human resources, finance, information technology, supply chain, customer relationship management, or other operations that are unique to the enterprise.

ERP software can be installed on and executed by multiple computing devices within the enterprise's managed network. In particular, the managed network can contain multiple “ERP clients,” each of which takes the form of one or more computing devices of the managed network on which the ERP software is installed. Each ERP client can have its own data that is collected, stored, managed, etc., in accordance with the services provided by the ERP software. In addition, each ERP client can be configured to store, in the ERP client's database, license data listing individual users whom are licensed to access the ERP client and the access capabilities of these users (e.g., the capabilities of the ERP software that the users' respective licenses authorize the users to access and use).

To track compliance with ERP software licenses, an enterprise might be required to acquire authorization to log on to each ERP client, connect one or more external systems to each ERP client, and independently retrieve the license data from each ERP client. However, this can be a complex, unworkable, and time consuming process, particularly when the managed network includes large quantities (e.g., hundreds) of ERP clients distributed across multiple physical sites. In addition, due to the time consuming nature of this process, the license data may likely be out of date by the time all of the license data is collected. This process can have other drawbacks as well.

To address these issues, the methods and systems described herein reduce the time and complexity associated with collecting license data from ERP clients, which in turn can improve the manner in which the enterprise track ERP software license compliance.

Accordingly, a first example embodiment may involve a method performed by a software application executable on a central ERP client of a plurality of ERP clients. The ERP clients may be contained within a managed network as part of an ERP system. Each ERP client may be associated with one or more computing devices of the managed network on which ERP software is executable. Each ERP client may include a database that stores user-related data containing a list of identifiers of individual users of the managed network whom are authorized to access the ERP client and respective access capabilities thereof. The method may involve communicating with other ERP clients of the plurality of ERP clients to retrieve the user-related data stored in databases of the other ERP clients. The method may also involve storing, in the database of the central ERP client, the user-related data from the other ERP clients. The method may also involve transmitting, to a computing device of a computational instance, the user-related data from the other ERP clients. The computational instance may be contained in a remote network management platform associated with the managed network.

In a second example embodiment, an article of manufacture may include a non-transitory computer-readable medium, having stored thereon program instructions that, upon execution by a computing system, cause the computing system to perform operations in accordance with the first example embodiment.

In a third example embodiment, a computing system may include at least one processor, as well as memory and program instructions. The program instructions may be stored in the memory, and upon execution by the at least one processor, cause the computing system to perform operations in accordance with the first example embodiment.

In a fourth example embodiment, a system may include various means for carrying out each of the operations of the first example embodiment.

These, as well as other embodiments, aspects, advantages, and alternatives, will become apparent to those of ordinary skill in the art by reading the following detailed description, with reference where appropriate to the accompanying drawings. Further, this summary and other descriptions and figures provided herein are intended to illustrate embodiments by way of example only and, as such, that numerous variations are possible. For instance, structural elements and process steps can be rearranged, combined, distributed, eliminated, or otherwise changed, while remaining within the scope of the embodiments as claimed.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 illustrates a schematic drawing of a computing device, in accordance with example embodiments.

FIG. 2 illustrates a schematic drawing of a server device cluster, in accordance with example embodiments.

FIG. 3 depicts a remote network management architecture, in accordance with example embodiments.

FIG. 4 depicts a communication environment involving a remote network management architecture, in accordance with example embodiments.

FIG. 5A depicts another communication environment involving a remote network management architecture, in accordance with example embodiments.

FIG. 5B is a flow chart, in accordance with example embodiments.

FIG. 6 shows an example ERP system, in accordance with example embodiments.

FIG. 7 depicts another communication environment involving a remote network management architecture, in accordance with example embodiments.

FIG. 8 is a flow chart, in accordance with example embodiments.

DETAILED DESCRIPTION

Example methods, devices, and systems are described herein. It should be understood that the words “example” and “exemplary” are used herein to mean “serving as an example, instance, or illustration.” Any embodiment or feature described herein as being an “example” or “exemplary” is not necessarily to be construed as preferred or advantageous over other embodiments or features unless stated as such. Thus, other embodiments can be utilized and other changes can be made without departing from the scope of the subject matter presented herein.

Accordingly, the example embodiments described herein are not meant to be limiting. It will be readily understood that the aspects of the present disclosure, as generally described herein, and illustrated in the figures, can be arranged, substituted, combined, separated, and designed in a wide variety of different configurations. For example, the separation of features into “client” and “server” components may occur in a number of ways.

Further, unless context suggests otherwise, the features illustrated in each of the figures may be used in combination with one another. Thus, the figures should be generally viewed as component aspects of one or more overall embodiments, with the understanding that not all illustrated features are necessary for each embodiment.

Additionally, any enumeration of elements, blocks, or steps in this specification or the claims is for purposes of clarity. Thus, such enumeration should not be interpreted to require or imply that these elements, blocks, or steps adhere to a particular arrangement or are carried out in a particular order.

I. Introduction

A large enterprise is a complex entity with many interrelated operations. Some of these are found across the enterprise, such as human resources (HR), supply chain, information technology (IT), and finance. However, each enterprise also has its own unique operations that provide essential capabilities and/or create competitive advantages.

To support widely-implemented operations, enterprises typically use off-the-shelf software applications, such as customer relationship management (CRM) and human capital management (HCM) packages. However, they may also need custom software applications to meet their own unique requirements. A large enterprise often has dozens or hundreds of these custom software applications. Nonetheless, the advantages provided by the embodiments herein are not limited to large enterprises and may be applicable to an enterprise, or any other type of organization, of any size.

Many such software applications are developed by individual departments within the enterprise. These range from simple spreadsheets to custom-built software tools and databases. But the proliferation of siloed custom software applications has numerous disadvantages. It negatively impacts an enterprise's ability to run and grow its operations, innovate, and meet regulatory requirements. The enterprise may find it difficult to integrate, streamline and enhance its operations due to lack of a single system that unifies its subsystems and data.

To efficiently create custom applications, enterprises would benefit from a remotely-hosted application platform that eliminates unnecessary development complexity. The goal of such a platform would be to reduce time-consuming, repetitive application development tasks so that software engineers and individuals in other roles can focus on developing unique, high-value features.

In order to achieve this goal, the concept of Application Platform as a Service (aPaaS) is introduced, to intelligently automate workflows throughout the enterprise. An aPaaS system is hosted remotely from the enterprise, but may access data, applications, and services within the enterprise by way of secure connections. Such an aPaaS system may have a number of advantageous capabilities and characteristics. These advantages and characteristics may be able to improve the enterprise's operations and workflow for IT, HR, CRM, customer service, application development, and security.

The aPaaS system may support development and execution of model-view-controller (MVC) applications. MVC applications divide their functionality into three interconnected parts (model, view, and controller) in order to isolate representations of information from the manner in which the information is presented to the user, thereby allowing for efficient code reuse and parallel development. These applications may be web-based, and offer create, read, update, delete (CRUD) capabilities. This allows new applications to be built on a common application infrastructure.

The aPaaS system may support standardized application components, such as a standardized set of widgets for graphical user interface (GUI) development. In this way, applications built using the aPaaS system have a common look and feel. Other software components and modules may be standardized as well. In some cases, this look and feel can be branded or skinned with an enterprise's custom logos and/or color schemes.

The aPaaS system may support the ability to configure the behavior of applications using metadata. This allows application behaviors to be rapidly adapted to meet specific needs. Such an approach reduces development time and increases flexibility. Further, the aPaaS system may support GUI tools that facilitate metadata creation and management, thus reducing errors in the metadata.

The aPaaS system may support clearly-defined interfaces between applications, so that software developers can avoid unwanted inter-application dependencies. Thus, the aPaaS system may implement a service layer in which persistent state information and other data are stored.

The aPaaS system may support a rich set of integration features so that the applications thereon can interact with legacy applications and third-party applications. For instance, the aPaaS system may support a custom employee-onboarding system that integrates with legacy HR, IT, and accounting systems.

The aPaaS system may support enterprise-grade security. Furthermore, since the aPaaS system may be remotely hosted, it should also utilize security procedures when it interacts with systems in the enterprise or third-party networks and services hosted outside of the enterprise. For example, the aPaaS system may be configured to share data amongst the enterprise and other parties to detect and identify common security threats.

Other features, functionality, and advantages of an aPaaS system may exist. This description is for purpose of example and is not intended to be limiting.

As an example of the aPaaS development process, a software developer may be tasked to create a new application using the aPaaS system. First, the developer may define the data model, which specifies the types of data that the application uses and the relationships therebetween. Then, via a GUI of the aPaaS system, the developer enters (e.g., uploads) the data model. The aPaaS system automatically creates all of the corresponding database tables, fields, and relationships, which can then be accessed via an object-oriented services layer.

In addition, the aPaaS system can also build a fully-functional MVC application with client-side interfaces and server-side CRUD logic. This generated application may serve as the basis of further development for the user. Advantageously, the developer does not have to spend a large amount of time on basic application functionality. Further, since the application may be web-based, it can be accessed from any Internet-enabled client device. Alternatively or additionally, a local copy of the application may be able to be accessed, for instance, when Internet service is not available.

The aPaaS system may also support a rich set of pre-defined functionality that can be added to applications. These features include support for searching, email, templating, workflow design, reporting, analytics, social media, scripting, mobile-friendly output, and customized GUIs.

The following embodiments describe architectural and functional aspects of example aPaaS systems, as well as the features and advantages thereof.

II. Example Computing Devices and Cloud-Based Computing Environments

FIG. 1 is a simplified block diagram exemplifying a computing device 100, illustrating some of the components that could be included in a computing device arranged to operate in accordance with the embodiments herein. Computing device 100 could be a client device (e.g., a device actively operated by a user), a server device (e.g., a device that provides computational services to client devices), or some other type of computational platform. Some server devices may operate as client devices from time to time in order to perform particular operations, and some client devices may incorporate server features.

In this example, computing device 100 includes processor 102, memory 104, network interface 106, and an input/output unit 108, all of which may be coupled by a system bus 110 or a similar mechanism. In some embodiments, computing device 100 may include other components and/or peripheral devices (e.g., detachable storage, printers, and so on).

Processor 102 may be one or more of any type of computer processing element, such as a central processing unit (CPU), a co-processor (e.g., a mathematics, graphics, or encryption co-processor), a digital signal processor (DSP), a network processor, and/or a form of integrated circuit or controller that performs processor operations. In some cases, processor 102 may be one or more single-core processors. In other cases, processor 102 may be one or more multi-core processors with multiple independent processing units. Processor 102 may also include register memory for temporarily storing instructions being executed and related data, as well as cache memory for temporarily storing recently-used instructions and data.

Memory 104 may be any form of computer-usable memory, including but not limited to random access memory (RAM), read-only memory (ROM), and non-volatile memory (e.g., flash memory, hard disk drives, solid state drives, compact discs (CDs), digital video discs (DVDs), and/or tape storage). Thus, memory 104 represents both main memory units, as well as long-term storage. Other types of memory may include biological memory.

Memory 104 may store program instructions and/or data on which program instructions may operate. By way of example, memory 104 may store these program instructions on a non-transitory, computer-readable medium, such that the instructions are executable by processor 102 to carry out any of the methods, processes, or operations disclosed in this specification or the accompanying drawings.

As shown in FIG. 1, memory 104 may include firmware 104A, kernel 104B, and/or applications 104C. Firmware 104A may be program code used to boot or otherwise initiate some or all of computing device 100. Kernel 104B may be an operating system, including modules for memory management, scheduling and management of processes, input/output, and communication. Kernel 104B may also include device drivers that allow the operating system to communicate with the hardware modules (e.g., memory units, networking interfaces, ports, and busses), of computing device 100. Applications 104C may be one or more user-space software programs, such as web browsers or email clients, as well as any software libraries used by these programs. Memory 104 may also store data used by these and other programs and applications.

Network interface 106 may take the form of one or more wireline interfaces, such as Ethernet (e.g., Fast Ethernet, Gigabit Ethernet, and so on). Network interface 106 may also support communication over one or more non-Ethernet media, such as coaxial cables or power lines, or over wide-area media, such as Synchronous Optical Networking (SONET) or digital subscriber line (DSL) technologies. Network interface 106 may additionally take the form of one or more wireless interfaces, such as IEEE 802.11 (Wifi), BLUETOOTH®, global positioning system (GPS), or a wide-area wireless interface. However, other forms of physical layer interfaces and other types of standard or proprietary communication protocols may be used over network interface 106. Furthermore, network interface 106 may comprise multiple physical interfaces. For instance, some embodiments of computing device 100 may include Ethernet, BLUETOOTH®, and Wifi interfaces.

Input/output unit 108 may facilitate user and peripheral device interaction with computing device 100. Input/output unit 108 may include one or more types of input devices, such as a keyboard, a mouse, a touch screen, and so on. Similarly, input/output unit 108 may include one or more types of output devices, such as a screen, monitor, printer, and/or one or more light emitting diodes (LEDs). Additionally or alternatively, computing device 100 may communicate with other devices using a universal serial bus (USB) or high-definition multimedia interface (HDMI) port interface, for example.

In some embodiments, one or more computing devices like computing device 100 may be deployed to support an aPaaS architecture. The exact physical location, connectivity, and configuration of these computing devices may be unknown and/or unimportant to client devices. Accordingly, the computing devices may be referred to as “cloud-based” devices that may be housed at various remote data center locations.

FIG. 2 depicts a cloud-based server cluster 200 in accordance with example embodiments. In FIG. 2, operations of a computing device (e.g., computing device 100) may be distributed between server devices 202, data storage 204, and routers 206, all of which may be connected by local cluster network 208. The number of server devices 202, data storages 204, and routers 206 in server cluster 200 may depend on the computing task(s) and/or applications assigned to server cluster 200.

For example, server devices 202 can be configured to perform various computing tasks of computing device 100. Thus, computing tasks can be distributed among one or more of server devices 202. To the extent that these computing tasks can be performed in parallel, such a distribution of tasks may reduce the total time to complete these tasks and return a result. For purpose of simplicity, both server cluster 200 and individual server devices 202 may be referred to as a “server device.” This nomenclature should be understood to imply that one or more distinct server devices, data storage devices, and cluster routers may be involved in server device operations.

Data storage 204 may be data storage arrays that include drive array controllers configured to manage read and write access to groups of hard disk drives and/or solid state drives. The drive array controllers, alone or in conjunction with server devices 202, may also be configured to manage backup or redundant copies of the data stored in data storage 204 to protect against drive failures or other types of failures that prevent one or more of server devices 202 from accessing units of data storage 204. Other types of memory aside from drives may be used.

Routers 206 may include networking equipment configured to provide internal and external communications for server cluster 200. For example, routers 206 may include one or more packet-switching and/or routing devices (including switches and/or gateways) configured to provide (i) network communications between server devices 202 and data storage 204 via local cluster network 208, and/or (ii) network communications between the server cluster 200 and other devices via communication link 210 to network 212.

Additionally, the configuration of routers 206 can be based at least in part on the data communication requirements of server devices 202 and data storage 204, the latency and throughput of the local cluster network 208, the latency, throughput, and cost of communication link 210, and/or other factors that may contribute to the cost, speed, fault-tolerance, resiliency, efficiency and/or other design goals of the system architecture.

As a possible example, data storage 204 may include any form of database, such as a structured query language (SQL) database. Various types of data structures may store the information in such a database, including but not limited to tables, arrays, lists, trees, and tuples. Furthermore, any databases in data storage 204 may be monolithic or distributed across multiple physical devices.

Server devices 202 may be configured to transmit data to and receive data from data storage 204. This transmission and retrieval may take the form of SQL queries or other types of database queries, and the output of such queries, respectively. Additional text, images, video, and/or audio may be included as well. Furthermore, server devices 202 may organize the received data into web page representations. Such a representation may take the form of a markup language, such as the hypertext markup language (HTML), the extensible markup language (XML), or some other standardized or proprietary format. Moreover, server devices 202 may have the capability of executing various types of computerized scripting languages, such as but not limited to Perl, Python, PHP Hypertext Preprocessor (PHP), Active Server Pages (ASP), JavaScript, and so on. Computer program code written in these languages may facilitate the providing of web pages to client devices, as well as client device interaction with the web pages.

III. Example Remote Network Management Architecture

FIG. 3 depicts a remote network management architecture, in accordance with example embodiments. This architecture includes three main components, managed network 300, remote network management platform 320, and third-party networks 340, all connected by way of Internet 350.

Managed network 300 may be, for example, an enterprise network used by an entity for computing and communications tasks, as well as storage of data. Thus, managed network 300 may include client devices 302, server devices 304, routers 306, virtual machines 308, firewall 310, and/or proxy servers 312. Client devices 302 may be embodied by computing device 100, server devices 304 may be embodied by computing device 100 or server cluster 200, and routers 306 may be any type of router, switch, or gateway.

Virtual machines 308 may be embodied by one or more of computing device 100 or server cluster 200. In general, a virtual machine is an emulation of a computing system, and mimics the functionality (e.g., processor, memory, and communication resources) of a physical computer. One physical computing system, such as server cluster 200, may support up to thousands of individual virtual machines. In some embodiments, virtual machines 308 may be managed by a centralized server device or application that facilitates allocation of physical computing resources to individual virtual machines, as well as performance and error reporting. Enterprises often employ virtual machines in order to allocate computing resources in an efficient, as needed fashion. Providers of virtualized computing systems include VMWARE® and MICROSOFT®.

Firewall 310 may be one or more specialized routers or server devices that protect managed network 300 from unauthorized attempts to access the devices, applications, and services therein, while allowing authorized communication that is initiated from managed network 300. Firewall 310 may also provide intrusion detection, web filtering, virus scanning, application-layer gateways, and other applications or services. In some embodiments not shown in FIG. 3, managed network 300 may include one or more virtual private network (VPN) gateways with which it communicates with remote network management platform 320 (see below).

Managed network 300 may also include one or more proxy servers 312. An embodiment of proxy servers 312 may be a server device that facilitates communication and movement of data between managed network 300, remote network management platform 320, and third-party networks 340. In particular, proxy servers 312 may be able to establish and maintain secure communication sessions with one or more computational instances of remote network management platform 320. By way of such a session, remote network management platform 320 may be able to discover and manage aspects of the architecture and configuration of managed network 300 and its components. Possibly with the assistance of proxy servers 312, remote network management platform 320 may also be able to discover and manage aspects of third-party networks 340 that are used by managed network 300.

Firewalls, such as firewall 310, typically deny all communication sessions that are incoming by way of Internet 350, unless such a session was ultimately initiated from behind the firewall (i.e., from a device on managed network 300) or the firewall has been explicitly configured to support the session. By placing proxy servers 312 behind firewall 310 (e.g., within managed network 300 and protected by firewall 310), proxy servers 312 may be able to initiate these communication sessions through firewall 310. Thus, firewall 310 might not have to be specifically configured to support incoming sessions from remote network management platform 320, thereby avoiding potential security risks to managed network 300.

In some cases, managed network 300 may consist of a few devices and a small number of networks. In other deployments, managed network 300 may span multiple physical locations and include hundreds of networks and hundreds of thousands of devices. Thus, the architecture depicted in FIG. 3 is capable of scaling up or down by orders of magnitude.

Furthermore, depending on the size, architecture, and connectivity of managed network 300, a varying number of proxy servers 312 may be deployed therein. For example, each one of proxy servers 312 may be responsible for communicating with remote network management platform 320 regarding a portion of managed network 300. Alternatively or additionally, sets of two or more proxy servers may be assigned to such a portion of managed network 300 for purposes of load balancing, redundancy, and/or high availability.

Remote network management platform 320 is a hosted environment that provides aPaaS services to users, particularly to the operators of managed network 300. These services may take the form of web-based portals, for instance. Thus, a user can securely access remote network management platform 320 from, for instance, client devices 302, or potentially from a client device outside of managed network 300. By way of the web-based portals, users may design, test, and deploy applications, generate reports, view analytics, and perform other tasks.

As shown in FIG. 3, remote network management platform 320 includes four computational instances 322, 324, 326, and 328. Each of these instances may represent one or more server devices and/or one or more databases that provide a set of web portals, services, and applications (e.g., a wholly-functioning aPaaS system) available to a particular customer. In some cases, a single customer may use multiple computational instances. For example, managed network 300 may be an enterprise customer of remote network management platform 320, and may use computational instances 322, 324, and 326. The reason for providing multiple instances to one customer is that the customer may wish to independently develop, test, and deploy its applications and services. Thus, computational instance 322 may be dedicated to application development related to managed network 300, computational instance 324 may be dedicated to testing these applications, and computational instance 326 may be dedicated to the live operation of tested applications and services. A computational instance may also be referred to as a hosted instance, a remote instance, a customer instance, or by some other designation. Any application deployed onto a computational instance may be a scoped application, in that its access to databases within the computational instance can be restricted to certain elements therein (e.g., one or more particular database tables or particular rows with one or more database tables).

For purpose of clarity, the disclosure herein refers to the physical hardware, software, and arrangement thereof as a “computational instance.” Note that users may colloquially refer to the graphical user interfaces provided thereby as “instances.” But unless it is defined otherwise herein, a “computational instance” is a computing system disposed within remote network management platform 320.

The multi-instance architecture of remote network management platform 320 is in contrast to conventional multi-tenant architectures, over which multi-instance architectures exhibit several advantages. In multi-tenant architectures, data from different customers (e.g., enterprises) are comingled in a single database. While these customers' data are separate from one another, the separation is enforced by the software that operates the single database. As a consequence, a security breach in this system may impact all customers' data, creating additional risk, especially for entities subject to governmental, healthcare, and/or financial regulation. Furthermore, any database operations that impact one customer will likely impact all customers sharing that database. Thus, if there is an outage due to hardware or software errors, this outage affects all such customers. Likewise, if the database is to be upgraded to meet the needs of one customer, it will be unavailable to all customers during the upgrade process. Often, such maintenance windows will be long, due to the size of the shared database.

In contrast, the multi-instance architecture provides each customer with its own database in a dedicated computing instance. This prevents comingling of customer data, and allows each instance to be independently managed. For example, when one customer's instance experiences an outage due to errors or an upgrade, other computational instances are not impacted. Maintenance down time is limited because the database only contains one customer's data. Further, the simpler design of the multi-instance architecture allows redundant copies of each customer database and instance to be deployed in a geographically diverse fashion. This facilitates high availability, where the live version of the customer's instance can be moved when faults are detected or maintenance is being performed.

In some embodiments, remote network management platform 320 may include one or more central instances, controlled by the entity that operates this platform. Like a computational instance, a central instance may include some number of physical or virtual servers and database devices. Such a central instance may serve as a repository for data that can be shared amongst at least some of the computational instances. For instance, definitions of common security threats that could occur on the computational instances, software packages that are commonly discovered on the computational instances, and/or an application store for applications that can be deployed to the computational instances may reside in a central instance. Computational instances may communicate with central instances by way of well-defined interfaces in order to obtain this data.

In order to support multiple computational instances in an efficient fashion, remote network management platform 320 may implement a plurality of these instances on a single hardware platform. For example, when the aPaaS system is implemented on a server cluster such as server cluster 200, it may operate a virtual machine that dedicates varying amounts of computational, storage, and communication resources to instances. But full virtualization of server cluster 200 might not be necessary, and other mechanisms may be used to separate instances. In some examples, each instance may have a dedicated account and one or more dedicated databases on server cluster 200. Alternatively, computational instance 322 may span multiple physical devices.

In some cases, a single server cluster of remote network management platform 320 may support multiple independent enterprises. Furthermore, as described below, remote network management platform 320 may include multiple server clusters deployed in geographically diverse data centers in order to facilitate load balancing, redundancy, and/or high availability.

Third-party networks 340 may be remote server devices (e.g., a plurality of server clusters such as server cluster 200) that can be used for outsourced computational, data storage, communication, and service hosting operations. These servers may be virtualized (i.e., the servers may be virtual machines). Examples of third-party networks 340 may include AMAZON WEB SERVICES® and MICROSOFT® Azure. Like remote network management platform 320, multiple server clusters supporting third-party networks 340 may be deployed at geographically diverse locations for purposes of load balancing, redundancy, and/or high availability.

Managed network 300 may use one or more of third-party networks 340 to deploy applications and services to its clients and customers. For instance, if managed network 300 provides online music streaming services, third-party networks 340 may store the music files and provide web interface and streaming capabilities. In this way, the enterprise of managed network 300 does not have to build and maintain its own servers for these operations.

Remote network management platform 320 may include modules that integrate with third-party networks 340 to expose virtual machines and managed services therein to managed network 300. The modules may allow users to request virtual resources and provide flexible reporting for third-party networks 340. In order to establish this functionality, a user from managed network 300 might first establish an account with third-party networks 340, and request a set of associated resources. Then, the user may enter the account information into the appropriate modules of remote network management platform 320. These modules may then automatically discover the manageable resources in the account, and also provide reports related to usage, performance, and billing.

Internet 350 may represent a portion of the global Internet. However, Internet 350 may alternatively represent a different type of network, such as a private wide-area or local-area packet-switched network.

FIG. 4 further illustrates the communication environment between managed network 300 and computational instance 322, and introduces additional features and alternative embodiments. In FIG. 4, computational instance 322 is replicated across data centers 400A and 400B. These data centers may be geographically distant from one another, perhaps in different cities or different countries. Each data center includes support equipment that facilitates communication with managed network 300, as well as remote users.

In data center 400A, network traffic to and from external devices flows either through VPN gateway 402A or firewall 404A. VPN gateway 402A may be peered with VPN gateway 412 of managed network 300 by way of a security protocol such as Internet Protocol Security (IPSEC) or Transport Layer Security (TLS). Firewall 404A may be configured to allow access from authorized users, such as user 414 and remote user 416, and to deny access to unauthorized users. By way of firewall 404A, these users may access computational instance 322, and possibly other computational instances. Load balancer 406A may be used to distribute traffic amongst one or more physical or virtual server devices that host computational instance 322. Load balancer 406A may simplify user access by hiding the internal configuration of data center 400A, (e.g., computational instance 322) from client devices. For instance, if computational instance 322 includes multiple physical or virtual computing devices that share access to multiple databases, load balancer 406A may distribute network traffic and processing tasks across these computing devices and databases so that no one computing device or database is significantly busier than the others. In some embodiments, computational instance 322 may include VPN gateway 402A, firewall 404A, and load balancer 406A.

Data center 400B may include its own versions of the components in data center 400A. Thus, VPN gateway 402B, firewall 404B, and load balancer 406B may perform the same or similar operations as VPN gateway 402A, firewall 404A, and load balancer 406A, respectively. Further, by way of real-time or near-real-time database replication and/or other operations, computational instance 322 may exist simultaneously in data centers 400A and 400B.

Data centers 400A and 400B as shown in FIG. 4 may facilitate redundancy and high availability. In the configuration of FIG. 4, data center 400A is active and data center 400B is passive. Thus, data center 400A is serving all traffic to and from managed network 300, while the version of computational instance 322 in data center 400B is being updated in near-real-time. Other configurations, such as one in which both data centers are active, may be supported.

Should data center 400A fail in some fashion or otherwise become unavailable to users, data center 400B can take over as the active data center. For example, domain name system (DNS) servers that associate a domain name of computational instance 322 with one or more Internet Protocol (IP) addresses of data center 400A may re-associate the domain name with one or more IP addresses of data center 400B. After this re-association completes (which may take less than one second or several seconds), users may access computational instance 322 by way of data center 400B.

FIG. 4 also illustrates a possible configuration of managed network 300. As noted above, proxy servers 312 and user 414 may access computational instance 322 through firewall 310. Proxy servers 312 may also access configuration items 410. In FIG. 4, configuration items 410 may refer to any or all of client devices 302, server devices 304, routers 306, and virtual machines 308, any applications or services executing thereon, as well as relationships between devices, applications, and services. Thus, the term “configuration items” may be shorthand for any physical or virtual device, or any application or service remotely discoverable or managed by computational instance 322, or relationships between discovered devices, applications, and services. Configuration items may be represented in a configuration management database (CMDB) of computational instance 322.

As noted above, VPN gateway 412 may provide a dedicated VPN to VPN gateway 402A. Such a VPN may be helpful when there is a significant amount of traffic between managed network 300 and computational instance 322, or security policies otherwise suggest or require use of a VPN between these sites. In some embodiments, any device in managed network 300 and/or computational instance 322 that directly communicates via the VPN is assigned a public IP address. Other devices in managed network 300 and/or computational instance 322 may be assigned private IP addresses (e.g., IP addresses selected from the 10.0.0.0-10.255.255.255 or 192.168.0.0-192.168.255.255 ranges, represented in shorthand as subnets 10.0.0.0/8 and 192.168.0.0/16, respectively).

IV. Example Device, Application, and Service Discovery

In order for remote network management platform 320 to administer the devices, applications, and services of managed network 300, remote network management platform 320 may first determine what devices are present in managed network 300, the configurations and operational statuses of these devices, and the applications and services provided by the devices, and well as the relationships between discovered devices, applications, and services. As noted above, each device, application, service, and relationship may be referred to as a configuration item. The process of defining configuration items within managed network 300 is referred to as discovery, and may be facilitated at least in part by proxy servers 312.

For purpose of the embodiments herein, an “application” may refer to one or more processes, threads, programs, client modules, server modules, or any other software that executes on a device or group of devices. A “service” may refer to a high-level capability provided by multiple applications executing on one or more devices working in conjunction with one another. For example, a high-level web service may involve multiple web application server threads executing on one device and accessing information from a database application that executes on another device.

FIG. 5A provides a logical depiction of how configuration items can be discovered, as well as how information related to discovered configuration items can be stored. For sake of simplicity, remote network management platform 320, third-party networks 340, and Internet 350 are not shown.

In FIG. 5A, CMDB 500 and task list 502 are stored within computational instance 322. Computational instance 322 may transmit discovery commands to proxy servers 312. In response, proxy servers 312 may transmit probes to various devices, applications, and services in managed network 300. These devices, applications, and services may transmit responses to proxy servers 312, and proxy servers 312 may then provide information regarding discovered configuration items to CMDB 500 for storage therein. Configuration items stored in CMDB 500 represent the environment of managed network 300.

Task list 502 represents a list of activities that proxy servers 312 are to perform on behalf of computational instance 322. As discovery takes place, task list 502 is populated. Proxy servers 312 repeatedly query task list 502, obtain the next task therein, and perform this task until task list 502 is empty or another stopping condition has been reached.

To facilitate discovery, proxy servers 312 may be configured with information regarding one or more subnets in managed network 300 that are reachable by way of proxy servers 312. For instance, proxy servers 312 may be given the IP address range 192.168.0/24 as a subnet. Then, computational instance 322 may store this information in CMDB 500 and place tasks in task list 502 for discovery of devices at each of these addresses.

FIG. 5A also depicts devices, applications, and services in managed network 300 as configuration items 504, 506, 508, 510, and 512. As noted above, these configuration items represent a set of physical and/or virtual devices (e.g., client devices, server devices, routers, or virtual machines), applications executing thereon (e.g., web servers, email servers, databases, or storage arrays), relationships therebetween, as well as services that involve multiple individual configuration items.

Placing the tasks in task list 502 may trigger or otherwise cause proxy servers 312 to begin discovery. Alternatively or additionally, discovery may be manually triggered or automatically triggered based on triggering events (e.g., discovery may automatically begin once per day at a particular time).

In general, discovery may proceed in four logical phases: scanning, classification, identification, and exploration. Each phase of discovery involves various types of probe messages being transmitted by proxy servers 312 to one or more devices in managed network 300. The responses to these probes may be received and processed by proxy servers 312, and representations thereof may be transmitted to CMDB 500. Thus, each phase can result in more configuration items being discovered and stored in CMDB 500.

In the scanning phase, proxy servers 312 may probe each IP address in the specified range of IP addresses for open Transmission Control Protocol (TCP) and/or User Datagram Protocol (UDP) ports to determine the general type of device. The presence of such open ports at an IP address may indicate that a particular application is operating on the device that is assigned the IP address, which in turn may identify the operating system used by the device. For example, if TCP port 135 is open, then the device is likely executing a WINDOWS® operating system. Similarly, if TCP port 22 is open, then the device is likely executing a UNIX® operating system, such as LINUX®. If UDP port 161 is open, then the device may be able to be further identified through the Simple Network Management Protocol (SNMP). Other possibilities exist. Once the presence of a device at a particular IP address and its open ports have been discovered, these configuration items are saved in CMDB 500.

In the classification phase, proxy servers 312 may further probe each discovered device to determine the version of its operating system. The probes used for a particular device are based on information gathered about the devices during the scanning phase. For example, if a device is found with TCP port 22 open, a set of UNIX®-specific probes may be used. Likewise, if a device is found with TCP port 135 open, a set of WINDOWS®-specific probes may be used. For either case, an appropriate set of tasks may be placed in task list 502 for proxy servers 312 to carry out. These tasks may result in proxy servers 312 logging on, or otherwise accessing information from the particular device. For instance, if TCP port 22 is open, proxy servers 312 may be instructed to initiate a Secure Shell (SSH) connection to the particular device and obtain information about the operating system thereon from particular locations in the file system. Based on this information, the operating system may be determined. As an example, a UNIX® device with TCP port 22 open may be classified as AIX®, HPUX, LINUX®, MACOS®, or SOLARIS®. This classification information may be stored as one or more configuration items in CMDB 500.

In the identification phase, proxy servers 312 may determine specific details about a classified device. The probes used during this phase may be based on information gathered about the particular devices during the classification phase. For example, if a device was classified as LINUX®, a set of LINUX®-specific probes may be used. Likewise, if a device was classified as WINDOWS® 2012, as a set of WINDOWS®-2012-specific probes may be used. As was the case for the classification phase, an appropriate set of tasks may be placed in task list 502 for proxy servers 312 to carry out. These tasks may result in proxy servers 312 reading information from the particular device, such as basic input/output system (BIOS) information, serial numbers, network interface information, media access control address(es) assigned to these network interface(s), IP address(es) used by the particular device and so on. This identification information may be stored as one or more configuration items in CMDB 500.

In the exploration phase, proxy servers 312 may determine further details about the operational state of a classified device. The probes used during this phase may be based on information gathered about the particular devices during the classification phase and/or the identification phase. Again, an appropriate set of tasks may be placed in task list 502 for proxy servers 312 to carry out. These tasks may result in proxy servers 312 reading additional information from the particular device, such as processor information, memory information, lists of running processes (applications), and so on. Once more, the discovered information may be stored as one or more configuration items in CMDB 500.

Running discovery on a network device, such as a router, may utilize SNMP. Instead of or in addition to determining a list of running processes or other application-related information, discovery may determine additional subnets known to the router and the operational state of the router's network interfaces (e.g., active, inactive, queue length, number of packets dropped, etc.). The IP addresses of the additional subnets may be candidates for further discovery procedures. Thus, discovery may progress iteratively or recursively.

Once discovery completes, a snapshot representation of each discovered device, application, and service is available in CMDB 500. For example, after discovery, operating system version, hardware configuration and network configuration details for client devices, server devices, and routers in managed network 300, as well as applications executing thereon, may be stored. This collected information may be presented to a user in various ways to allow the user to view the hardware composition and operational status of devices, as well as the characteristics of services that span multiple devices and applications.

Furthermore, CMDB 500 may include entries regarding dependencies and relationships between configuration items. More specifically, an application that is executing on a particular server device, as well as the services that rely on this application, may be represented as such in CMDB 500. For instance, suppose that a database application is executing on a server device, and that this database application is used by a new employee onboarding service as well as a payroll service. Thus, if the server device is taken out of operation for maintenance, it is clear that the employee onboarding service and payroll service will be impacted. Likewise, the dependencies and relationships between configuration items may be able to represent the services impacted when a particular router fails.

In general, dependencies and relationships between configuration items may be displayed on a web-based interface and represented in a hierarchical fashion. Thus, adding, changing, or removing such dependencies and relationships may be accomplished by way of this interface.

Furthermore, users from managed network 300 may develop workflows that allow certain coordinated activities to take place across multiple discovered devices. For instance, an IT workflow might allow the user to change the common administrator password to all discovered LINUX® devices in a single operation.

In order for discovery to take place in the manner described above, proxy servers 312, CMDB 500, and/or one or more credential stores may be configured with credentials for one or more of the devices to be discovered. Credentials may include any type of information needed in order to access the devices. These may include userid/password pairs, certificates, and so on. In some embodiments, these credentials may be stored in encrypted fields of CMDB 500. Proxy servers 312 may contain the decryption key for the credentials so that proxy servers 312 can use these credentials to log on to or otherwise access devices being discovered.

The discovery process is depicted as a flow chart in FIG. 5B. At block 520, the task list in the computational instance is populated, for instance, with a range of IP addresses. At block 522, the scanning phase takes place. Thus, the proxy servers probe the IP addresses for devices using these IP addresses, and attempt to determine the operating systems that are executing on these devices. At block 524, the classification phase takes place. The proxy servers attempt to determine the operating system version of the discovered devices. At block 526, the identification phase takes place. The proxy servers attempt to determine the hardware and/or software configuration of the discovered devices. At block 528, the exploration phase takes place. The proxy servers attempt to determine the operational state and applications executing on the discovered devices. At block 530, further editing of the configuration items representing the discovered devices and applications may take place. This editing may be automated and/or manual in nature.

The blocks represented in FIG. 5B are for purpose of example. Discovery may be a highly configurable procedure that can have more or fewer phases, and the operations of each phase may vary. In some cases, one or more phases may be customized, or may otherwise deviate from the exemplary descriptions above.

V. Example Licensed Enterprise Resource Planning System

While some software applications used by managed network 300 may be hosted by an aPaaS system, as described above in relation to FIGS. 1 through 4, others may be installed on the individual computing, client, and/or server devices of managed network 300. Such software is often proprietary, and may be licensed in various ways, such as per user, per processor, per processor core, per computing device, based on one or more metrics, and/or in other manners. An example of such software is enterprise resource planning (ERP) software, which can take the form of one software application or suite of software applications that are configured for use by an enterprise in collecting, storing, managing, and interpreting data related to a variety of enterprise operations, such as HR, finance, IT, or other operations that are unique to the enterprise. The following description primarily relates to ERP software, but can also apply to other types of proprietary software that can be installed on devices in managed network 300.

ERP software can be installed on and executed by multiple computing devices within managed network 300. This ERP software, along with the multiple computing devices of managed network 300 on which the ERP software is installed, can be collectively referred to as an “ERP system.”

The ERP system can include multiple, logically discrete subsystems, or “ERP clients.” Each ERP client can include one or more computing devices within managed network 300 on which ERP software is installed. Further, each ERP client can have its own data that is collected, stored, managed, etc. The data for a particular ERP client can include data created, stored, etc. for the ERP client that is accessible to other ERP clients and/or data created, stored, etc. for the ERP client that is not accessible to other ERP clients.

FIG. 6 shows an example ERP system 600 within managed network 300. As shown, the ERP system 600 includes four ERP clients—namely, ERP client 602, ERP client 604, ERP client 606, and ERP client 608. Each ERP client can include one or more computing devices and one or more databases in which data is stored for the ERP client. For simplicity, such computing devices and databases are not shown in FIG. 6.

Each ERP client of an ERP system can be dedicated for use in carrying out particular activities. As noted above, ERP software may facilitate HR, finance, IT, supply chain, and customer relationship management operations, to name just a few uses. But individual ERP clients can have more specific functions as well. For example, an ERP client can be a training client dedicated to training users how to access and use ERP software or a development client dedicated to developing software applications that are executable in accordance with the ERP system. In some implementations, the ERP software can provide a unique programming language, developed by the provider of the ERP software for use by enterprises in developing and testing software applications, and/or can be configured to recognize other programming languages. Other example ERP clients can include a testing client dedicated to testing developed applications and a production client dedicated to the live operation of tested/deployed applications as well as the live operation of other services that the ERP software provides. ERP clients can be dedicated to other activities as well. In some cases, activities performed in one ERP client can be performed independently from activities performed in another ERP client and without affecting the data of the other ERP client. For example, applications being tested on a testing client might not be accessible to users logged on to a production client.

Additionally or alternatively to being dedicated for use in carrying out particular activities, an ERP client (or group of ERP clients) can be dedicated for use by a particular entity or entities within the enterprise. For example, an ERP client can be dedicated to a particular department of the enterprise, such an IT department or an HR department, or can be dedicated to a particular geographic location of the enterprise, such as one ERP client for a branch of the enterprise operating in Europe, and another ERP client for a branch of the enterprise operating in North America.

A user can access an ERP client by way of an end-user device—that is, a computing device that can access or otherwise communicate with one or more ERP clients of the ERP system 600. For example, an end-user device can be one of the client devices 302 shown in FIG. 3. These end-user devices are not shown in FIG. 6 for purposes of simplicity.

When a user accesses an ERP client, a communication session (also referred to herein as a “session”) can be established and conducted via a connection between an end-user device and the ERP client. During such a session, the end-user device can receive data stored in a database associated with the ERP client, transmit data to the ERP client for the ERP client to write to the database, or perform other actions. Further, the ERP client can be configured to collect and store, in the database, records of such sessions. These records can include a variety of information associated with the sessions and the end-user devices and users involved in the sessions, including but not limited to network addresses (e.g., IP addresses) of the end-user devices, user identifiers, and/or other user information.

An ERP client can be accessed in various ways. For example, a user can access the ERP client directly by way of a graphical user interface (GUI) delivered with or as part of the ERP system. The GUI can be provided as part of a software application developed by the provider of the ERP software and installed on an end-user device, and a user can use the GUI to log on to access the ERP client. As shown in FIG. 6, user 610 is directly accessing ERP client 602, perhaps by way of a GUI.

Alternatively, a user can access the ERP client indirectly by way of an “intermediary package,” such as an intermediary software application or intermediary platform, that is not part of the ERP system but that has an integration with the ERP system. For example, a user having an account associated with the intermediary package can access an ERP client via the intermediary package. Such an intermediary package can include software custom-built by the enterprise and/or software developed by a third-party. Further, this intermediary package can be executable by one or more computing devices associated with managed network 300 or elsewhere (e.g., a computing device outside of managed network 300). In an example managed network, for instance, an HR department may use HR software supporting integration with an ERP client that is dedicated to the HR department. Similarly, an IT department may use IT software supporting integration with an ERP client that is dedicated to the IT department. As shown in FIG. 6, user 612 is indirectly accessing ERP client 606 by way of intermediary package 616.

To access an ERP client, a user is typically required to have a license. For example, if a user is directly or indirectly accessing an ERP client in the manners described above, a license may be required. Thus, both user 610 and user 612 may require a license to access their respective ERP clients. However, other types of user communication with an ERP client are possible as well, some of which might not require a license. For example, a computing device within or outside of managed network 300 can be controlled by a user to perform, or can be configured to autonomously perform, various background processes involving the ERP system. Such background processes might or might not require a user to be logged on to the ERP system, and might not require a license. As shown in FIG. 6, computing device 614 is performing background processes with respect to ERP client 608.

An ERP client can be configured to store license data in its database. The license data can take the form of a table including a list of accounts for individual users whom are licensed to access the ERP client and respective access capabilities of the users. For example, an account for user 610 can be included on a list stored by ERP client 602 and an account for user 612 can be included on a list stored by ERP client 606. The table can include a variety of user-related data, including but not limited to a user identifier that is unique to the ERP system (e.g., the userid that the user logs on with), an email address of the user, the user's name, a user type (e.g., an indication of whether the user directly accesses the ERP client indirectly accesses the ERP client), a type of license allocated to the user (examples of which are provided in more detail below), a date from which the license is valid, a date through which the license is valid, a date/time at which the user last logged on to the ERP client, an indication of whether the user is a locked user (i.e., a user who is restricted from accessing the ERP client, such as a user who was previously employed by the enterprise), among other possibilities.

Further, an ERP client might also be configured to store, in its database, a table including a list of non-licensed users and/or computing devices who are authorized to access the ERP client. For example, computing device 614 can be included on a list stored by ERP client 608.

As noted above, a license allocated to an individual user can have a particular license type that defines which activities the user is authorized to perform using the ERP system. In some licensing arrangements, the type of license allocated to an individual user can range from a lowest level license to a highest level license, where the level of a license depends on one or more metrics, such as an operational role that the user has within the enterprise. For example, a higher level license can be allocated to a user having an administrative role—that is, an administrator with the authorization to perform certain activities for the benefit of the administrator as well as for the benefit lower level users (e.g., other employees of the enterprise). Such activities might include developing applications, managing user accounts, creating new databases and database tables, and managing stored data for the ERP client. On the other hand, a lower level license can be allocated to a non-administrative user within the enterprise, such as a user whose role might only involve performing activities for the user's own benefit and not on behalf of other users. Other examples of license types are possible as well.

With the above-described licensing arrangement, some higher level licenses and some lower level licenses can overlap in scope. That is, a higher level license might authorize a user to perform the same activity as a lower level license. For example, a lower level license can grant a non-administrative user permission to view data of an ERP client, but might not grant permission to edit the data. On the other hand, a higher level license can grant an administrative user permission to both view and edit the data of the ERP client. Thus, the administrative user does not need both a higher level license and a lower level license to view and edit the data, only the higher level license. Other examples are possible as well.

License levels can be defined by the provider of the ERP software and/or defined by the enterprise. One reason for having enterprise-defined license levels is to uniquely tailor a license to a particular user role within the enterprise, although there may be additional or alternative reasons for doing so as well.

Furthermore, in some licensing arrangements, for a user to access multiple ERP clients, the user can be required to have a separate license for each such ERP client. In some cases, one license allocated to the user for one ERP client might not be the same license type as another license allocated to the user for another ERP client. Alternatively, the license allocated to the user for each ERP client might have the same license type.

VI. Example Consolidation of User License Data

There are various approaches for software asset management in which an enterprise attempts to keep track of which of its computing devices and users are using licensed software and thus track to what degree software usage complies with software license rights held by managed network 300. Some of these approaches can be applied to licensed software in general, while others can be applied specifically to ERP software.

With respect to licensed software in general, the enterprise might attempt to maintain accurate software entitlement records (i.e., records that provide information about software license rights held by managed network 300). One way in which this might occur is by counting licenses and comparing the license count to a number of software installations within managed network 300. This can be performed on a cyclical basis, such as during audit cycles. Still, these and other approaches for licensed software in general can present challenges. For example, a large enterprise may use thousands of separate computing devices, each of which may use a set of software applications. Further, such computing devices may go in and out of service, or require different software applications over time. Still further, different versions or builds of each software application may be installed across these computing devices.

On the other hand, with respect to ERP software in particular, the enterprise might attempt to separately log on to each ERP client in the ERP system 600 to request that ERP client's stored list of accounts for licensed individual users. However, this approach can have drawbacks as well. For example, this approach might require that multiple licenses be allocated to a single user, or multiple licenses be allocated across multiple different users, so that such user(s) are authorized to log on to the ERP clients and retrieve the license data stored at those ERP clients. In addition, the enterprise might utilize a computing system outside of the ERP system 600, such as remote network management platform 320, and create a separate external connection (i.e., a connection that does not exist solely within the ERP system 600) between the computing system and each ERP client over which the computing system can retrieve license data stored at that ERP client. Each such external connection can be a direct connection between the computing system and an ERP client, or can be a connection between the computing system and the ERP client via proxy servers 312.

Acquiring the authorization to log on to each ERP client, creating external connections to each ERP client, and independently retrieving the license data from each ERP client can be a time consuming and complex process to execute and manage, particularly when managed network 300 includes large quantities (e.g., hundreds) of ERP clients. Further, if an external interface provided by one or more ERP clients changes (e.g., a change in message flow and/or message content), the software applications used to access and retrieve license data from these ERP clients might have to be changed as well, which can be even more complex and time consuming when multiple external interfaces are used. Still further, if acquiring the proper authorization, creating the external connections, and retrieving the license data from each ERP client is done as a manual process, the process can be so slow that the license data will likely be out of date by the time all of the license data is collected due to the extent of ERP clients as well as the dynamic nature of the data.

In addition, if the enterprise decides to retrieve license data from less than all of the ERP clients in the ERP system 600, the enterprise might receive an incomplete picture of the licenses the enterprise holds, which is undesirable. One reason why an incomplete picture would result is that, as noted above, multiple licenses might be allocated to the same user for different ERP clients, and such licenses might be of the same or different license types. Thus, to more accurately track ERP software license compliance, the enterprise might be required to spend time going through the complex and unworkable approach described above.

If ERP software license compliance is not concisely and accurately tracked, an enterprise might risk being non-compliant with its licenses. Two example ways in which this can occur is license misuse and license mismanagement. License misuse can refer to scenarios where the enterprise and its associated users intentionally or unintentionally violate ERP software licenses, such as when the enterprise has purchased licenses for a particular number of users, but more than that number of users are accessing ERP software. License misuse can render the enterprise liable for additional license fees and can possibly place the enterprise at risk of penalties resulting from the misuse. On the other hand, license mismanagement can refer to a scenario where the enterprise might not be violating any ERP licenses, but rather might be paying for more licenses than the enterprise needs or might be paying for a higher level license when a lower level license would be sufficient for meeting the enterprise's needs. License mismanagement is particular likely after merger and/or acquisition activities in which one enterprise merges with or acquires another enterprise. If both have legacy ERP system licenses, the combined enterprise may have numerous redundancies in these licenses, which the embodiments herein will rapidly discover.

Therefore, it is desirable for an enterprise to be able to efficiently collect and maintain accurate, up-to-date license data associated with ERP software, particularly as the enterprise's use of ERP software changes over time. Doing so is especially relevant when managed network 300 includes large quantities (e.g., thousands) of computing devices, users, etc., when the ERP system 600 includes large quantities (e.g., hundreds) of ERP clients, or when there are large quantities of users that are each licensed to use one or more of the ERP clients.

Accordingly, the present disclosure provides a software application that collects, consolidates, and stores license data from each of the ERP clients in the ERP system 600. In particular, the software application can be deployed on one of the ERP clients of the ERP system 600, which will be referred to herein as the “central ERP client.” The software application can be configured to cause the central ERP client to (i) establish a respective secure, internal connection (e.g., a connection existing between computing devices within the ERP system 600) with each of the other ERP clients, (ii) retrieve, over the internal connections, the respective license data stored at each ERP client, and (iii) store the license data in a database of the central ERP client.

Further, the software application can be configured to communicate with a computational instance of remote network management platform 320 over an external connection between the central ERP client and the computational instance, perhaps via proxy servers 312. The computational instance may provide a web portal or application, such as a software asset management portal or application, through which a user can log on to the central ERP client, establish the external connection with the central ERP client, and instruct the central ERP client to retrieve the license data from the other ERP clients. The computational instance can also receive the retrieved license data over the external connection. In some implementations, proxy servers 312 can retrieve the license data from the central ERP client and temporarily store the license data at proxy servers 312 before transmission of this license data to the computational instance.

The act of computational instance instructing the central ERP client to retrieve the license data from the other ERP clients and the act of the central ERP client sending the computational instance the retrieved license data can occur asynchronously. For example, a user can log on to the central ERP client and instruct the central ERP client to retrieve the license data from the other ERP clients and transmit the license data to the computational instance. Other activities can then take place on the computational instance while the process of the central ERP client retrieving the license data and transmitting the license data to the computational instance occurs in the background. Such a background process may take several minutes or hours, so the user may log off of the central ERP client while it is taking place, and then log in again later to view the results.

In some implementations, the software application can also be configured to cause the central ERP client to retrieve up-to-date license data from the other ERP clients on a periodic basis at a pre-scheduled time (e.g., daily, weekly, every night at 10:00 pm, within 24 hours before every audit cycle, etc.). Additionally or alternatively, a user can use the computational instance to schedule times at which the central ERP client is triggered to retrieve license data from the other ERP clients.

Implementations of this disclosure provide technological improvements that are particular to computer networks and computing systems, for example, managed computer networks such as managed network 300.

Computing network-specific technological problems, such as inefficiency, unreliability, and complexity of monitoring software license usage in managed networks—particularly large managed networks with hundreds or thousands of computing devices, software applications, and user activity thereon—can be wholly or partially solved by the implementations of this disclosure.

For example, implementations of this disclosure help reduce or eliminate the challenges presented by the above-described approaches. In particular, having the central ERP client retrieve all of the license data from other ERP clients via internal connections can reduce the number of external connections to the ERP system. For instance, hundreds of external connections might be involved in some approaches, but implementations of this disclosure involve as low as one external connection—namely, the external connection between the computational instance (e.g., by way of a proxy server) and the central ERP client. Thus, the time and complexity associated with creating, re-creating, and managing numerous external connections is reduced or eliminated. Other implementations of this disclosure might involve more than one external connection, but the total number of external connections might still be very low compared to the number of external connections in approaches.

Further, because the computational instance retrieves license data from the central ERP client over a small number of external connections (e.g., one connection), authorization to access the central ERP client and retrieve the license data might only need to be granted to a small number of users. For example, authorization to log on to the central ERP client might only be needed for a single account through which one or more users can access the license data.

Moreover, because implementations of this disclosure improve the manner in which the enterprise can collect and maintain ERP software license data, the undesirable consequences associated with mismanaging or misusing ERP software licenses can be reduced.

These and other improvements are described in more detail below, though the operations described below are for purposes of example and that implementations may provide other improvements as well.

FIG. 7 illustrates an example communication environment in which a software application, software application 700, can collect and store license data from ERP clients in the ERP system 600. As shown, software application 700 is deployed on and executable on a central ERP client 702. The central ERP client 702 is a given one of the ERP clients—in this case, the ERP client formerly denoted as ERP client 602—that is selected to be the ERP client that hosts software application 700.

The central ERP client 702 also includes a database 704 in which software application 700 can store the license data retrieved from the other ERP clients, as well as the license data associated with the central ERP client 702 itself (i.e., a list of accounts of users licensed to access the central ERP client 702). In particular, the database 704 can include one or more tables, designated for access by the enterprise via computational instances of remote network management platform 320, in which license data from the ERP system 600 is consolidated and stored. The database 704 might include other tables as well, in which other types of data can be stored. With a single ERP client in which the license data from the ERP system 600 is stored, such as all the license data from all of the ERP clients, the enterprise does not need to access multiple databases and/or database tables across multiple ERP clients, thereby reducing the time and complexity associated with viewing and managing license data.

The central ERP client 702 is shown to be in communication with ERP client 604, ERP client 606, and ERP client 608. These three other ERP clients can represent all of the other ERP clients in the ERP system 600, or can represent less than all of the ERP clients in the ERP system 600. To retrieve the license data from ERP client 604, for instance, software application 700 can establish a connection and communicate with ERP client 604 in accordance with one or more application layer communication protocols. Such a protocol may define a process for establishing the connection, logging on to ERP client 604, carrying out a session in which data is exchanged between the central ERP client 702 and ERP client 604, and/or other aspects of the session. In an example session between the central ERP client 702 and ERP client 604, for instance, software application 700 can make a remote function call or series of function calls that causes ERP client 604 to execute instructions associated with the function call(s) and perform one or more operations defined by the instructions. The instructions can include, at a minimum, an instruction to transmit, to the central ERP client 702, a copy of the license data stored on ERP client 604. The central ERP client 702 can retrieve license data from ERP client 606 and ERP client 608 in a similar manner.

In some implementations, the one or more protocols may be proprietarily associated with the provider of the ERP software, and the central ERP client 702, other ERP clients of the ERP system 600, and/or other computing devices shown in FIG. 7, may be configured to communication according to the protocol(s). As a more particular example, the ERP system 600 may be a SAP® system and the protocol may be a remote function call (RFC) protocol. Other examples, both proprietary and non-proprietary, are possible as well.

FIG. 7 also shows the central ERP client 702 having a connection with computational instance 322 of remote network management platform 320. Further, computational instance 322 is shown to include software application 706, which represents an application provided by computational instance 322 and configured to perform various operations relating to software asset management—namely, operations related to ERP software license compliance.

To facilitate this, computational instance 322 has a first connection with proxy servers 312 and proxy servers 312 have a second connection with the central ERP client 702, thereby creating the connection between computational instance 322 and the central ERP client 702. This connection between computational instance 322 and the central ERP client 702—or, more particularly, the second connection between proxy servers 312 and the central ERP client 702—is a type of external connection defined above and, in order for the external connection to be established, computational instance 322 and/or proxy servers 312 may require authorization to log on to the central ERP client 702. In some implementations, the first connection and the second connection can be active at the same time, although they do not have to be. For example, computational instance 322 can instruct proxy servers 312 to establish the second connection with the central ERP client 702 so that proxy servers 312 can in turn instruct the central ERP client 702 to retrieve the license data from the other ERP clients. The first connection can then be terminated and the second connection can be established.

Although communications between computational instance 322 and the central ERP client 702 are shown in FIG. 6 as occurring via proxy servers 312, it should be understood that, in other implementations, computational instance 322 can communicate directly with the central ERP client 702 without using proxy servers 312.

With computational instance 322, proxy servers 312, and the central ERP client 702 communicating as shown in FIG. 6, a user can use a web portal or application provided by computational instance 322, such as software application 706, to view or retrieve the license data stored in database 704, and perhaps provide various other instructions to the central ERP client 702. For example, computational instance 322 can transmit an instruction to proxy servers 312 and proxy servers 312 can then transmit the instruction to the central ERP client 702. The instruction can be a remote function call that causes the central ERP client 702 to transmit, to computational instance 322, the license data stored in the database 704. As such, when the central ERP client 702 receives the instruction from proxy servers 312, the central ERP client 702 can responsively transmit, to proxy servers 312, the license data. Proxy servers 312 can then transmit the license data to computational instance 322, either immediately after receiving the license data from the central ERP client 702 or after temporarily and locally storing the license data (e.g., in proxy servers 312).

Various other instructions can be transmitted to the central ERP client 702 in this same manner described above. Further, in some implementations, at least some of communications between computational instance 322, proxy servers 312, and the central ERP client 702 can be governed by the same communication protocol(s) described above.

As noted above, the process of the central ERP client 702 retrieving license data from other ERP clients can occur periodically at a pre-scheduled time (e.g., every night at 10:00 pm, or within 24 hours before an audit cycle) and/or can run in the background while other processes are being performed. To facilitate periodic retrieval of license data, computational instance 322 can provide a GUI that the user can use to set a frequency at which the central ERP client 702 retrieves license data from other ERP clients and makes the license data available to computational instance 322 (either by enabling the user to view the license data or by transmitting a copy of the license data to computational instance 322). When the user sets the frequency, computational instance 322 can transmit, to the central ERP client 702, a single instruction to retrieve the license data at the frequency. Alternatively, computational instance 322 can transmit, to the central ERP client 702, at the frequency, separate instructions to retrieve the license data. By having license data retrieved on a recurring basis, the enterprise can keep up-to-date with the most-recent license data.

A user can use computational instance 322 to cause the central ERP client 702 to perform other actions as well, some of which can relate to managing the license data. For example, computational instance 322 can provide a GUI through which the user can provide an input indicating an instruction to delete a specific portion of the license data currently being stored in the database 704. Thus, computational instance 322 can transmit the instruction to the central ERP client 702 and, in response, the central ERP client 702 can delete the specific portion of the license data.

VII. Example Operations

FIG. 8 is a flow chart illustrating one of several possible example embodiments. The embodiments of FIG. 8 may be simplified by the removal of any one or more of the features shown therein. Further, these embodiments may be combined with features, aspects, and/or implementations of any of the previous figures or otherwise described herein.

The process illustrated by FIG. 8 may be carried out by a computing device, such as computing device 100, and/or a cluster of computing devices, such as server cluster 200. However, the process can be carried out by other types of devices or device subsystems. For example, the process could be carried out by a portable computer, such as a laptop or a tablet device.

For the purposes of example, the process illustrated by FIG. 8 will be described as being carried out by a software application, such as software application 700, that is executable on a central ERP client of a plurality of ERP clients. The ERP clients can be contained within a managed network as part of an ERP system. Each ERP client can be associated with one or more computing devices of the managed network on which ERP software is executable, and each ERP client can include a database that stores user-related data containing a list of identifiers (e.g., userids and/or account identifiers) of individual users of the managed network whom are authorized to access the ERP client and respective access capabilities (e.g., provided by licenses associated with the identifiers) thereof.

Block 800 involves communicating with other ERP clients of the plurality of ERP clients to retrieve the user-related data stored in databases of the other ERP clients.

Block 802 involves storing, in the database of the central ERP client, the user-related data from the other ERP clients.

Block 804 involves transmitting, to a computing device of a computational instance, the user-related data from the other ERP clients, where the computational instance is contained in a remote network management platform associated with the managed network.

In some embodiments, storing the user-related data may involve storing the user-related data in a single table associated with the remote network management platform.

In some embodiments, retrieving the user-related data may involve retrieving the user-related data over internal connections between the central ERP client and the other ERP clients. The internal connections may be contained entirely within the ERP system of the managed network. Further, transmitting the user-related data to the computing device of the computational instance may involve transmitting the user-related data to the computing device of the computational instance over an external connection between the central ERP client and the computing device of the computational instance.

In some embodiments, transmitting the user-related data to the computing device of the computational instance may involve transmitting the user-related data to the computing device of the computational instance via a proxy server contained in the managed network.

In some embodiments, the process may also involve receiving, from the computing device of the computational instance, an instruction to collect the user-related data. In such embodiments, communicating with the other ERP clients to retrieve the user-related data, storing the user-related data, and transmitting the user-related data may be performed in response to receiving the instruction.

In some embodiments, the process may also involve receiving, from the computing device of the computational instance, an instruction identifying a portion of the user-related data to delete, and, in response to receiving the instruction, deleting the identified portion of the user-related data from the database of the central ERP client.

In some embodiments, the access capabilities include, for the individual users, userids associated with the ERP system, user types indicating whether the users directly accesses the ERP client or indirectly accesses the ERP client via an intermediary package, dates from which the users have been authorized to access the ERP client, and dates through which the users are authorized to access the ERP client.

In some embodiments, communicating with the other ERP clients to retrieve the user-related data and storing the user-related data may occur as a background process while other activities are performed by the computational instance.

VIII. Conclusion

The present disclosure is not to be limited in terms of the particular embodiments described in this application, which are intended as illustrations of various aspects. Many modifications and variations can be made without departing from its scope, as will be apparent to those skilled in the art. Functionally equivalent methods and apparatuses within the scope of the disclosure, in addition to those described herein, will be apparent to those skilled in the art from the foregoing descriptions. Such modifications and variations are intended to fall within the scope of the appended claims.

The above detailed description describes various features and operations of the disclosed systems, devices, and methods with reference to the accompanying figures. The example embodiments described herein and in the figures are not meant to be limiting. Other embodiments can be utilized, and other changes can be made, without departing from the scope of the subject matter presented herein. It will be readily understood that the aspects of the present disclosure, as generally described herein, and illustrated in the figures, can be arranged, substituted, combined, separated, and designed in a wide variety of different configurations.

With respect to any or all of the message flow diagrams, scenarios, and flow charts in the figures and as discussed herein, each step, block, and/or communication can represent a processing of information and/or a transmission of information in accordance with example embodiments. Alternative embodiments are included within the scope of these example embodiments. In these alternative embodiments, for example, operations described as steps, blocks, transmissions, communications, requests, responses, and/or messages can be executed out of order from that shown or discussed, including substantially concurrently or in reverse order, depending on the functionality involved. Further, more or fewer blocks and/or operations can be used with any of the message flow diagrams, scenarios, and flow charts discussed herein, and these message flow diagrams, scenarios, and flow charts can be combined with one another, in part or in whole.

A step or block that represents a processing of information can correspond to circuitry that can be configured to perform the specific logical functions of a herein-described method or technique. Alternatively or additionally, a step or block that represents a processing of information can correspond to a module, a segment, or a portion of program code (including related data). The program code can include one or more instructions executable by a processor for implementing specific logical operations or actions in the method or technique. The program code and/or related data can be stored on any type of computer readable medium such as a storage device including RAM, a disk drive, a solid state drive, or another storage medium.

The computer readable medium can also include non-transitory computer readable media such as computer readable media that store data for short periods of time like register memory and processor cache. The computer readable media can further include non-transitory computer readable media that store program code and/or data for longer periods of time. Thus, the computer readable media may include secondary or persistent long term storage, like ROM, optical or magnetic disks, solid state drives, compact-disc read only memory (CD-ROM), for example. The computer readable media can also be any other volatile or non-volatile storage systems. A computer readable medium can be considered a computer readable storage medium, for example, or a tangible storage device.

Moreover, a step or block that represents one or more information transmissions can correspond to information transmissions between software and/or hardware modules in the same physical device. However, other information transmissions can be between software modules and/or hardware modules in different physical devices.

The particular arrangements shown in the figures should not be viewed as limiting. It should be understood that other embodiments can include more or less of each element shown in a given figure. Further, some of the illustrated elements can be combined or omitted. Yet further, an example embodiment can include elements that are not illustrated in the figures.

While various aspects and embodiments have been disclosed herein, other aspects and embodiments will be apparent to those skilled in the art. The various aspects and embodiments disclosed herein are for purpose of illustration and are not intended to be limiting, with the true scope being indicated by the following claims. 

What is claimed is:
 1. A system comprising: a remote network management platform associated with a managed network and containing a computational instance, wherein the managed network contains an enterprise resource planning (ERP) system comprised of a plurality of ERP clients, wherein each ERP client is associated with one or more computing devices of the managed network on which ERP software is executable, and wherein each ERP client includes a database that stores user-related data containing a list of identifiers of individual users of the managed network whom are authorized to access the ERP client and respective access capabilities thereof; a software application, executing on one of the ERP clients that is designated as a central ERP client, and configured to cause the central ERP client to: communicate with other ERP clients of the plurality of ERP clients to retrieve the user-related data stored in the databases of the other ERP clients; store, in the database of the central ERP client, the user-related data from the other ERP clients; and transmit, to a computing device of the computational instance, the user-related data from the other ERP clients.
 2. The system of claim 1, wherein the central ERP client stores the user-related data from the other ERP clients in a single table associated with the remote network management platform.
 3. The system of claim 1, wherein the central ERP client retrieves the user-related data over internal connections between the central ERP client and the other ERP clients, wherein the internal connections are contained entirely within the ERP system of the managed network, and wherein the central ERP client transmits the user-related data to the computing device of the computational instance over an external connection between the central ERP client and the computing device of the computational instance.
 4. The system of claim 1, wherein the central ERP client transmits the user-related data to the computing device of the computational instance via a proxy server contained in the managed network.
 5. The system of claim 1, wherein the software application is further configured to cause the central ERP client to: receive, from the computing device of the computational instance, an instruction to collect the user-related data, wherein communicating with the other ERP clients to retrieve the user-related data, storing the user-related data, and transmitting the user-related data comprise communicating with the other ERP clients to retrieve the user-related data, storing the user-related data, and transmitting the user-related data in response to receiving the instruction.
 6. The system of claim 1, wherein the software application is further configured to cause the central ERP client to: receive, from the computing device of the computational instance, an instruction identifying a portion of the user-related data to delete; and in response to receiving the instruction, delete the identified portion of the user-related data from the database of the central ERP client.
 7. The system of claim 1, wherein the access capabilities include, for the individual users, userids associated with the ERP system, user types indicating whether the users directly accesses the ERP client or indirectly accesses the ERP client via an intermediary package, dates from which the users have been authorized to access the ERP client, and dates through which the users are authorized to access the ERP client.
 8. The system of claim 1, wherein the central ERP client communicating with the other ERP clients to retrieve the user-related data and storing the user-related data occur as a background process while other activities are performed by the computational instance.
 9. A method performed by a software application executable on a central enterprise resource planning (ERP) client of a plurality of ERP clients, wherein the ERP clients are contained within a managed network as part of an ERP system, wherein each ERP client is associated with one or more computing devices of the managed network on which ERP software is executing, and wherein each ERP client includes a database that stores user-related data containing a list of identifiers of individual users of the managed network whom are authorized to access the ERP client and respective access capabilities thereof, the method comprising: communicating with other ERP clients of the plurality of ERP clients to retrieve the user-related data stored in databases of the other ERP clients; storing, in the database of the central ERP client, the user-related data from the other ERP clients; and transmitting, to a computing device of a computational instance, the user-related data from the other ERP clients, wherein the computational instance is contained in a remote network management platform associated with the managed network.
 10. The method of claim 9, wherein storing the user-related data comprises storing the user-related data in a single table associated with the remote network management platform.
 11. The method of claim 9, wherein retrieving the user-related data comprises retrieving the user-related data over internal connections between the central ERP client and the other ERP clients, wherein the internal connections are contained entirely within the ERP system of the managed network, and wherein transmitting the user-related data to the computing device of the computational instance comprises transmitting the user-related data to the computing device of the computational instance over an external connection between the central ERP client and the computing device of the computational instance.
 12. The method of claim 9, wherein transmitting the user-related data to the computing device of the computational instance comprises transmitting the user-related data to the computing device of the computational instance via a proxy server contained in the managed network.
 13. The method of claim 9, further comprising: receiving, from the computing device of the computational instance, an instruction to collect the user-related data, wherein communicating with the other ERP clients to retrieve the user-related data, storing the user-related data, and transmitting the user-related data comprise communicating with the other ERP clients to retrieve the user-related data, storing the user-related data, and transmitting the user-related data in response to receiving the instruction.
 14. The method of claim 9, further comprising: receiving, from the computing device of the computational instance, an instruction identifying a portion of the user-related data to delete; and in response to receiving the instruction, deleting the identified portion of the user-related data from the database of the central ERP client.
 15. The method of claim 9, wherein the access capabilities include, for the individual users, userids associated with the ERP system, user types indicating whether the users directly accesses the ERP client or indirectly accesses the ERP client via an intermediary package, dates from which the users have been authorized to access the ERP client, and dates through which the users are authorized to access the ERP client.
 16. The method of claim 9, wherein communicating with the other ERP clients to retrieve the user-related data and storing the user-related data occur as a background process while other activities are performed by the computational instance.
 17. An article of manufacture including a non-transitory computer-readable medium, having stored thereon program instructions that, upon execution by a central enterprise resource planning (ERP) client, cause the central ERP client to perform operations, wherein the central ERP client is one of a plurality of ERP clients contained within a managed network as part of an ERP system of the managed network, wherein each ERP client is associated with one or more computing devices of the managed network on which ERP software is executing, and wherein each ERP client includes a database that stores user-related data containing a list of identifiers of individual users of the managed network whom are authorized to access the ERP client and respective access capabilities thereof, the operations comprising: communicating with other ERP clients of the plurality of ERP clients to retrieve the user-related data stored in databases of the other ERP clients; storing, in the database of the central ERP client, the user-related data from the other ERP clients; and transmitting, to a computing device of a computational instance, the user-related data from the other ERP clients, wherein the computational instance is contained in a remote network management platform associated with the managed network.
 18. The article of manufacture of claim 17, wherein storing the user-related data comprises storing the user-related data in a single table associated with the remote network management platform.
 19. The article of manufacture of claim 17, wherein retrieving the user-related data comprises retrieving the user-related data over internal connections between the central ERP client and the other ERP clients, wherein the internal connections are contained entirely within the ERP system of the managed network, and wherein transmitting the user-related data to the computing device of the computational instance comprises transmitting the user-related data to the computing device of the computational instance over an external connection between the central ERP client and the computing device of the computational instance.
 20. The article of manufacture of claim 17, wherein transmitting the user-related data to the computing device of the computational instance comprises transmitting the user-related data to the computing device of the computational instance via a proxy server contained in the managed network. 